Analyzing Risk and Threat Assessment … Term Paper

Pages: 6 (2081 words) | Style: n/a
|
Sources: 0

Risk and Threat Assessment

Organizational Overview

The Bank of America ranks as one of the foremost financial organizations in the globe. It offers a wide range of services to retail customers as well as corporate organizations. Some of the services that it offers include: traditional banking services, management of investments and assets as well as management of risk. This bank has a wide network with its customer base, reaching 47 million retail customers, including the microenterprises. It has 4700 retail outlets with 16000 automated teller machines. On the online platform, this bank serves 32 million customers and on the cell phone platform, about 19 million customers access banking services. The bank stands out as a leader because it is able to offer services to not only individuals and corporations, but also governments. This is because of its wide range of services, including trading various assets, managing wealth and offering investment services. There are also many support services that are offered to microenterprises, including convenient online products. Bank of America has its operations all over the United States as well as in 35 other countries. It is a company listed on the New York Stock Exchange (Bank of America, 2016).

Bank of America Assessment

As with many companies, there are various departments that focus on security, including the information security department, the compliance department and the auditing department, which are global. There is also the security that handles the physical threats to the hardware and facilities of the organization.

Strengths

Disaster Recovery and Business Continuity

The Bank of America has put in place safeguards to protect itself from the physical damage that would befall it through disasters, whether natural or otherwise. In addition to this, it also has systems to enable it recover its data in the event of a disaster. Some of the ways that the bank has sought to protect itself include:

Data Replication and Backup- when the bank collects data, it copies it to different systems in a data center. Where the information is deemed crucial enough, it is also stored in remote data centers.

Third Party Data Centers- these are the data centers that are located in different places, which are meant to store information that can be used to continue the operations of the bank should a disaster occur. These third-party centers have swift internet connections so that there is no delay in relaying information. They are run in such a way that they are independent of each other and can be relied on at any time.

Incident Management

This accounts for the management of the bank's confidential information and systems, the integrity of the systems and information as well as ensuring the systems and data are always available for use. There are protocols for handling any events that affect these, and they include the way the message is relayed (notification), how it is moved up to the responsible party (escalation), the steps taken to overcome the challenge (mitigation) and documenting the event (documentation). The employees of the bank have been inducted in these processes so that they can handle any event and this preparation includes access of third party sites. There are various tests that are carried out to see how well the response is, especially in sensitive areas. These tests are not only run for the outside threats, but also for any internal ones.

Physical and Environment Management

The Bank of America values its data as well as facilities, and the environment in which the facilities based.

Personnel Security

There are many evaluations that are done on any person whom the bank is considering to hire. The educational background of the person is verified, their employment history looked into and references sought to vouch for the person. When it is within their legal mandate to do so, they may check on the person's criminal history, their credit scores and status with regard to immigration. Certain positions require more enhanced checks than others.

Authorization Controls

To prevent unauthorized personnel from accessing resources above their clearance, access rights using authorization controls are enforced. These are based on the employee's role and, where the concepts of need-to-know and least-privilege to match access privileges to defined responsibilities. BoA staff are granted limited permissions to access company resources, such as email, and other necessary internal portals. Based on the Employee's specific duty, additional permission may be granted to allow access to additional resources. This additional permission follows a formal process that involves requesting and getting approval from a manager, system or data owner, or other executives, as specified by in the specific security policy. Audit records keep track of all changes approved and are managed by workflow tools. Modification of authorization settings and the overall approval process are controlled by these workflow tools so as to ensure that the approval of policies follow a consistent process. These authorizations process and settings are very important as they control an employee's access to all resources, including data and systems used for customer information.

Accounting

BoA's policy specifies logging all administrative access to each system and all its data. Security staffs review these logs on a regular basis.

Monitoring

Information gathered from internal traffic, actions of staff on systems, and knowledge of current vulnerabilities in the security community are analyzed by a security monitoring program. At several points across the bank's global network, traffic is monitored for suspicious activity, for example traffic that may indicate botnetwork connections. The analysis is carried out by using a combination of commercial and open source tools for network traffic capture and parsing. This analysis is complemented by reviewing system logs to recognize unusual behavior, such as unusual activity in previous employees' accounts or attempts to access customer data.

Vulnerability Management

The BoA has a team on standby to handle all vulnerabilities detected in a timely manner. They scan for possible threats to the bank's security in-house and commercially developed tools, manual and automated penetration efforts, software security reviews, quality assurance (QA) processes, and external audits. This vulnerability management group is responsible for tracking and following up on vulnerabilities. As soon as a legitimate vulnerability that requires remediation is recognized by the Team, it is added to the log, prioritized based on its severity, and the owner of the data specifies actions to take. The vulnerability management team continues tracking these issues until they can are that it has been remediated.

Weaknesses

Access Control

Having numerous controls that include authenticating employees, going through various stages of authorizations and other means of ensuring security means that a lot of time is spent accomplishing these processes. Employees may thus not be optimally utilized and their contribution to the bank's core business may be reduced.

Threats

Malware

This is one of the threats that is a reality faced by many corporations. Malware can pose a threat to information integrity, network access and other system functions. Some service providers, such as Google have provided their customers with tools to combat this.

Hackers

Financial institutions have been found to be targeted by hackers more times than other corporations (Websense Security Labs, n. d.). Even when doing reconnaissance attacks, the companies most targeted still remain financial institutions. Banks sometimes are used by hackers as a conduit to get to targeted customers. An example of this is when a bank email account is compromised, hackers can look to erode the trust that clients have in the bank and then offer them a solution from elsewhere (Korolov, 2015). Bank of America can count hacking as one of its major threats.

All organizations are threatened by cyber-attacks. However, financial institutions face the most risk. As explained earlier, this is because they hold money as well as costumer identifiable information for both individuals as well as commercial entities. Off late, hackers have used internet payment and banking systems to siphon large sums of money from banks to their private accounts. This is therefore one of the most serious threats faced by BoA information and access control systems. These hackers have the ability to even control bank's ATMs and make them spew out cash at prearranged instances to waiting accomplices in complex cyber heists orchestrated internationally. The info-security company "Kaspersky Lab" predicts that in a single cyber-attack carried out touching a bank or other financial organizations resulted in as much as one billion dollars in loss (Kaspersky Lab, 2015). In line with the Identity Theft Resource Center (ITRC), this may be higher as a result of the data breaches that usually go unreported by financial institutions so as to protect their image (Paul Hastings, 2015).

Natural Disasters

The threat of natural disasters affects all companies and not just financial institutions. However, some form of mitigation can be made through insuring assets and the company's facilities.

Vulnerabilities

Data Asset Management

One key area where the Bank of America is vulnerable is in the area of its data assets, and these may be those related to the customer as well as core data assets of the bank. Espionage and hacking… [END OF PREVIEW]

Risk Management
Explain the difference between a Quantitative and Qualitative Analysis and discuss how to calculate the following: expected loss, single loss expectancy, annualized loss expectancy and safeguard value.
Quantitative…

Construction Project Risk Management
The nature of the construction market
The nature of the construction tasks makes the sector one-of-a-kind because the production centers or plants mostly need to relocate…